Archive

Posts Tagged ‘web’

Small Business Defense – Web Disclosure

October 22nd, 2009 Josh No comments

The best defense you have against an accidental data leak is to keep a clear data classification policy and invest in technology that prevents data tagged "private" (or "non public") from being released.  However, that's not practical for many businesses.

As an alternative, you can flip it around and run attacks against your own servers.  You can do file-level scans and make sure that the only files made public are the ones that are supposed to be.  Note though, that an attacker could always find your scanning software and use that to explore the system (as I did).

Alternatively alternatively, you could run various Google scans against your systems.  You could even schedule them to occur on a regular basis.  Of course, the scans would only be as good as the person setting them up and it would be quite possible that something could slip through.  Of course, regardless, you're only catching things this way once Google knows about them... and then attackers might be able to get them too.

You could also just not have any public Web presense at all.  If there's no web site, there's no chance of a data leakage... but it would also make it difficult to get new business.  The same goes for not having any private data.  Unless you're working strictly with open source, odds are that you're going to have some secret.

You know, a data classification program is starting to look more appealing.

Tags: , ,

Related posts

Categories: Business Security Tags: , ,

Small Business Attack – Web Disclosure

October 21st, 2009 Josh No comments

One of the flaws on a legacy server at the Iowa State University Cyber Defense Competition resulted in granting me the ability to scan the entire web directory. Normally, you'd think "What's the big deal", right? After all, the whole point of having a web server is to share it with the world.

In the case of the competition, some very private data was stored on the site. Sure, it was protected, but since there was the flaw that let me scan the system, it was easy enough to circumvent security restrictions and download the files I wanted. After all, I knew exactly where to look.

In the industry, we call this a "data leak". Typically, it's when private data somehow wanders across a boundary to the public world and someone on the outside finds it. This used to be primarily done via email or disk, but increasingly it occurs through the Web. As we combine web-based technologies into both extranets and intranets, the chance increases that something from the internal intranet world will cross over into the external extranet world.

Of course, it should be simple, right? Just keep the private stuff private... well, sorta. It turns out, not all information falls cleanly into "public" and "private" categories. Increasingly, attackers target private data, but if they can't get it, they can leverage sorta-private data against sorta-public data. By finding, for example, the names of your board members on a public website, their mother's maiden names from a genealogy site, and their personal associations from a search engine, an attacker is in the perfect position to start taking over accounts and working towards that more private data... and that's just with purely public information.

Imagine if they were able to get confidential or private data...

Tags: ,

Related posts

Categories: Business Security Tags: ,